You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/11/02 14:03:00 UTC

[jira] [Commented] (NIFI-10748) Upgrade com.h2database to 2.1.214

    [ https://issues.apache.org/jira/browse/NIFI-10748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627731#comment-17627731 ] 

David Handermann commented on NIFI-10748:
-----------------------------------------

As noted in the comments for NIFI-9585, the reference to H2 1.4.200 is necessary in order to support automatic migration from older versions.  Removes some of the vulnerable classes and repackages the H2 library for the sole purpose of migration, so no H2 1.4 code is used after the migration process completes.

We should be able to drop the migration support in the next major release of NiFi, but it is still necessary for now.

> Upgrade com.h2database to 2.1.214
> ---------------------------------
>
>                 Key: NIFI-10748
>                 URL: https://issues.apache.org/jira/browse/NIFI-10748
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.18.0
>            Reporter: Mike R
>            Priority: Major
>
> There are several versions of com.h2database used in NiFi, with some instances being 2.1.214, while others are 1.4.200.
> There are several CVE in the 1.4.200 program that are resolved in 2.1.214 that are all high or critical with scores above 8.1:
> [CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221]
> [CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392]
> [CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463]
> The last remaining instance is found at: nifi-h2/nifi-h2-database/pom.xml
> It looks like the remaining instances of h2 were updated in [NiFi-9585|[NIFI-9585 Upgraded H2 from 1.4 to 2.1.210 · apache/nifi@bcc8d03 (github.com)|https://github.com/apache/nifi/commit/bcc8d03314889e7d2d0724390059d0315efe2a34]]
>  
> Here are the release notes for h2 database http://www.h2database.com/html/changelog.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)